Guest Voices: The top three things you should do to manage cybersecurity risks

Shown is a copy of an email sent to Anthem Inc. plan members notifying them of a cyberattack.

Photo: Andrew Harrer /Bloomberg New

CNET may have summed up 2014 as the “Year of the Hack,” but 2015 already looks to be more of the same. Only a few weeks into the new year, TurboTax and Anthem have reported data breaches. It is no surprise then to see federal agencies and self-regulatory organizations rallying to address consumer security and privacy concerns.

On Jan. 27, the Federal Trade Commission issued a staff report recommending best practices for Internet-connected devices. A week later, both the Securities and Exchange Commission and Financial Industry Regulatory Authority followed suit.

The SEC’s risk alert culled observations from the Cybersecurity Initiative that the agency began in April. The initiative examined the cybersecurity policies and practices of 57 registered broker-dealers and 49 investment advisers. The risk alert carefully avoids creating recommendations or safe harbors but rather provides “summary observations” that firms may consider in assessing their cybersecurity compliance.

The FINRA report on cybersecurity practices is also the result of an industrywide examination of a cross-section of firms but goes further than the SEC risk alert by providing a summary of “principles and effective practices.”

Whether called best practices, observations or principles, three practices that will assist businesses in avoiding cybersecurity risks emerge from these reports.

Involve senior-level management: The FTC, SEC and FINRA all focus on who in a business is responsible for identifying and managing cybersecurity risks. FINRA said active executive management — including possible board-level involvement — is an essential practice to address cybersecurity threats. Thus, directors and officers of a corporation may face liability for lack of oversight. Businesses should evaluate, based on the size and complexity of their organizations, whether to hire a separate chief information security officer or to assign cybersecurity to their chief technology officer.

Exercise vendor oversight: A chain is only as strong as its weakest link. Any vendor that collects, processes or stores private information exposes a company to cybersecurity risks. Businesses should perform pre-contract due diligence on the security of any prospective service provider, and the service agreement itself should address the sensitivity of data and how the service provider will ensure the data’s integrity. Companies should include vendors in ongoing risk assessment. Clear service agreement provisions should allocate responsibility for data breaches.

Earlier this year, Travelers Casualty and Surety Company of America sued its insured’s Web designer, claiming the designer’s negligent maintenance of a website allowed a data breach.

Incorporate cybersecurity in personnel practices: Employees are one of the main sources of cybersecurity risks for businesses. In its initiative, the SEC found that the majority of breaches experienced by broker-dealers and investment advisers were due to failure to follow identity authentication procedures related to malware and fraudulent emails. To effectively manage cybersecurity risks, businesses must incorporate data security in their personnel practices, including the hiring, training and firing of employees.

By issuing these publications, federal agencies and self-regulatory organizations are putting the businesses under their purview on notice that in today’s digital world, no business can escape the task of addressing cybersecurity and data privacy.